Site Tools


hswan

q3k's pipedream of an intra-Hackerspace (and not only) alternate IP network, based on point-to-point links and BGP. Currently centered around the Warsaw Hackerspace.

Technology

  • Secure links over the public internet or private links
  • BGP with 32-bit AS names
    • RFC1918 10/8 allowed
    • might allow longer IPv4 prefixes than /24
    • need to find a crypto system for allowing ASses and prefixes to be announced - right now, we are as secure as the Internet is (not much)

Number Assignement

Currently, there is one assignment authority, and that is the Warsaw Hackerspace. For assignment, please contact bofh@hackerspace.pl.

ASN

We use the 32-bit private ASN numbering scheme, as defined by RFC6996. Each system that is part of the WAN must have an AS number assigned.

ASN OrgName PoC Physical presence Willing to peer physically?
4242424242 Warsaw Hackerspace bofh@hackerspace.pl Warsaw, ul. Wolność 2A Yes. Radio within LoS
4250000001 q3knet q3k@q3k.org Grand Canal Dock, Dublin No.
4250000002 Hackerspace Krakow noc@hackerspace-krk.pl Cracow, Zacisze 5/P1 Probably ;)
4250000003 Dragon Sector noc@drgns.pl n/a (Internet) No.
4250000004 Nibylandia ar@bash.org.pl Warsaw, ul. ?
4250000005 _lambdarail_ lquawl@hackerspace.pl Warsaw, ul. Jaktorowska
4250000006 pidpawel abuse@pidpawel.eu Kraków, Ruczaj Yes.
4242422001 buka enki@fsck.pl Warsaw
4250000008 dfgg dfgg@hackerspace.pl Bydgoszcz Currently no.
4250000009 archnet on demand via q3k@hspl Warsaw
4250000010 hskrk-mciancia Kraków
4250000011 aquila mlen@mlen.pl Jelenia Góra
4250000012 googlecloud q3k@q3k.org THE CLOUD
4250000013 tog admin@tog.ie Blackpitts, Dublin Yes.
4250000014 hskrk-wiktor admin@sq9.wtf Kraków, ul. Kluzeka sure, will try mesh soon
4250000015 tkd tomek@hackerspace.pl Kallang Road, Singapore No.
4250000016 hskrk-alwaro alwaronx@gmail.com Kraków

IPv4 Addresses

We use the 24-bit RFC1918 pool. When we run out, we'll figure out what to do. Bear in mind, a location can use IPv4 outside this pool (or overlapping), but they will need to be NATted.

Prefix OrgName NetName
10.8.0.0/14 Warsaw Hackerspace hswawnet01
10.12.0.0/16 Hakerspace Krakow hskrknet01
10.13.0.0/16 Dragon Sector dsnet01
10.21.0.0/16 dfgg hurrdurr01
10.23.0.0/16 pidpawel pidnet01
10.24.10.0/24 Nibylandia nbland01
10.24.20.0/24 Nibylandia nbland02
10.24.250.0/24 Nibylandia nbland03
10.25.0.0/16 _lamdarail_ lbrail01
10.26.0.0/16 archnet archnet01
10.30.0.0/24 googlecloud googlecloud-euwest1
10.30.1.0/24 googlecloud googlecloud-uscentral1
10.42.0.0/16 hskrk hskrk-members
10.42.0.0/20 hskrk-wiktor hskrk-wiktor
10.42.16.0/20 hskrk-mciancia hskrk-mciancia
10.42.32.0/20 hskrk-alwaro hskrk-alwaro
10.48.0.0/16 tog tog01
10.50.0.0/24 tkd xibalba
10.78.0.0/24 q3knet q3knet01
10.78.1.0/24 q3knet q3knet02
10.78.2.0/24 q3knet q3knet03
10.99.0.0/24 BUKA BUKA-HSWAN-NET
10.100.0.0/23 aquila aquila01
172.20.171.64/26 BUKA BUKA-DN42-NET

IPv6 Addresses

We need to figure this out soon.

Security Implications

Since we base off the technology stack of the Internet, security is mostly by trust. This means that, if you join hswan, you should take precautions by securing your local network. Remember to:

  • Make sure to only expose services that you would feel comfortable with being directly on the Internet, so
    • Statefully firewall off access to your guests' machines (laptops, phones…)
    • Keep your network device management interfaces away from the WAN completely
  • Filter incoming BGP prefixes against injection of your own address space and 0/0
  • Not really rely on the confidentiality of a link to another site (use end-to-end encryption)
  • Whitelist, not blacklist everything

With these precautions in place you should be able to experience the fun of having a world-wide Hackerspace WAN without putting your network in danger

How to join

  • Get an ASN and IPv4 network assigned
  • Find a party to peer with
    • If interested in a physical link, find one with a physical presence nearby
    • If interested in a virtual link, find whomever you can trust and who will trust you
  • Establish connectivity, notify Warsaw Hackerspace ops.

How to give someone access

  • Please notify Warsaw Hackerspace ops that you will be setting up a link with third parties
  • Make sure to only give access to parties that you can trust
  • Allowing propagation of hijacked prefixes and ASN announcements are ground for automatic termination of connectivity

Compared to ChaosVPN

q3k does not really enjoy the idea of being locked into one piece of software. Everything speaks BGP, and the physical link choice is left for the peers to decide (OpenVPN/IPSec/ATM/MPLS/CAT6/Fiber/Radio…).

Also, hswan is more fun and less secure.

Compared to dn42

Same concept - hswan was conjured up before q3k was aware of dn42.

hswan is also compatible with the HSWAW address space and has more blocks available… for now.

hswan @ hswaw

You are free to use the following services:

If you are @HSWAW, you are in HSWAN! Your laptop is statefully firewalled (only outgoing connections are allowed), don't worry. Additionally, if you host anything in our Lab, it will be accessible to people from the WAN.

„pictures of hswan”

dfgg

  • 15:49 < dfgg> oto moja koncowka hswanu xD
  • 15:49 < q3k> quality xD

q3k

Lackrack. Seal of approval included.

projects/hswan.txt · Last modified: 2018/02/08 23:42 by pidpawel